Advantech WebAccess is a web-based software package for human-machine interfaces and supervisory
control and data acquisition (SCADA). WebAccess 8.0 suffers from a vulnerability that allows an
attacker to upload a malicious file onto the web server, and gain arbitrary code execution under
the context of IIS APPPOOL\WADashboard_pool.

## Vulnerable Application

All builds of Advantech WebAccess 8.0 are affected:

* [WebAccess 8.0 _20150816](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe)
* [WebAccess 8.0 _20141103](http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20141103_3.4.3.exe)

For exploitation, there is a difference between the two versions. The 2014 version of WebAccess 8.0
had two upload actions in the UploadAjaxAction class: uploadBannerImage, and uploadImageCommon. The
2015 version of WebAccess 8.0 added another upload action: uploadFile. This exploit uses the
uploadImageCommon action because it works for both.

Advantech WebAccess 8.1 mitigated the vulnerability by enforcing authentication for
UploadAjaxAction. However, keep in mind that WebAccess 8.1 comes with a default credential of
user name "admin" with a blank password, which means the user is likely still at risk by using the
default configuration.

advantech_webaccess_dashboard_file_upload will not attempt to exploit WebAccess 8.1.

## Verification Steps

1. Start a Windows machine (such as Windows 7 SP1).
2. To install Advantech WebAccess, make sure to install the Internet Information Services Windows
   feature.
3. Download WebAccess 8.0, and install it. After installation, make sure the web application is
   operational by accessing with a browser (on port 80).
4. Start msfconsole
5. Do: ```use exploit/windows/scada/advantech_webaccess_dashboard_file_upload```
6. Do: ```set RHOST [TARGET_IP]```
7. Set other options if needed
8. Do: ```exploit```, and you should get a session.
